Aug. 28, 2013
|

Copies of The New York Times are sold in New York this month. / MARK LENNIHAN, AP

by Roger Yu, USA TODAY

by Roger Yu, USA TODAY

The New York Times' website was back in business Wednesday, a day after it was hacked by what appears to be the Syrian Electronic Army.

"The situation is close to being fully resolved," said Times spokeswoman Eileen Murphy, in a statement. "Our traffic levels are almost back to normal, but there may be instances of some ISPs (Internet service providers) having not yet restored the proper DNS records."

The SEA, a group of hackers who support Syrian President Bashar Assad, claimed responsibility online and said it also hacked Twitter's sites. The hackers seem to have gained access to the sites through Melbourne IT, an Australian company that specializes in website domain name registration.

The Times' website first crashed at about 3 p.m. ET Tuesday and was still down early Wednesday. It was pretty much back in action by midmorning.

Domain name systems, or DNS, index and match domain names - like NYTimes.com - to their numerical Internet addresses, which can be read by computers and servers.

It is the second failure of the Times' site in two weeks. It went dark on Aug. 14 due to what the publication said then was an internal problem, not the result of hacking.

Marc Frons, chief information officer for The New York Times Co., didn't directly blame the Syrian Electronic Army. But he told New York Times staffers in a memo Tuesday that the problem appeared to be the work of the SEA or "someone trying very hard to be them," according to a report by The New York Times.

Twitter and The Huffington Post also said that their websites had been affected by DNS attacks. For Twitter, the Tuesday attack on its website used for images resulted in users having trouble viewing photos. A Twitter account that seemingly belongs to the SEA showed an image that indicates SEA attacked Twitter's domain. The Huffington Post said Wednesday morning it had experienced "minimal disruption," adding everything had come back to normal.

Melbourne IT blamed one of its distributors for the security breach, saying the hackers gained access to its account.

A targeted phishing attack - in which hackers seek to gain personal information, such as the username and password, with enticing e-mails - was used to obtain the credentials of the users of the distributor's account, the company said.

The information was then used to manipulate the DNS records of several domain names on that distributor's account - including NYTimes.com - and direct readers to another site.

In looking at its logs, Melbourne IT discovered that the hackers used an Internet protocol address that is based in India. Melbourne says it has "no connection with the Internet service provider in India."

"It is just as likely that the hackers are using a compromised computer in India," said Bruce Tonkin, chief technology officer of Melbourne IT.

Melbourne IT said it restored the affected DNS records back to their previous settings and took measures to prevent further intrusions.

Such attacks underscore the vulnerability of media websites that are becoming increasingly complex as they integrate more software and content from vendors, including "widget" developers and advertising networks.

Media sites need to be particularly vigilant in monitoring attacks as they are attractive to hackers with an agenda, Ollmann said. "If the website of GE or The New York Times went down, which is going to generate more attention?"

A day after the Times' Aug. 14 crash, the SEA took down the websites of The Washington Post, CNN and Time. The companies said the SEA hacked the Internet service of Outbrain, a content recommendation company whose software widget is embedded in their websites.

"Registrars really need to run a tighter ship," said Paul Ferguson, vice president of threat intelligence at Internet security company IID. "This seems to continually happen, and each time it further erodes trust in the entire system."